Share this story

President-elect Donald Trump continues to discount or attempt to discredit reports that the intelligence community has linked the hacking of the DNC, the Hillary Clinton presidential campaign, and related information operations with a Russian effort to prevent Clinton from winning the election—thus assuring Trump's victory. In his latest of a stream of tweets, Trump posted:

Unless you catch "hackers" in the act, it is very hard to determine who was doing the hacking. Why wasn't this brought up before election?

The hacking was brought up well before the election. And it was monitored as it was happening—by the intelligence and law enforcement communities and by private information security firms.

"CrowdStrike's Falcon endpoint technology did catch the adversaries in the act," said Dmitri Alperovitch, chief technology officer of Crowdstrike. "When the DNC brought us in to conduct an investigation in May 2016, we deployed this technology on every system within DNC's corporate network and were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network."

Further Reading

Much of the evidence from Crowdstrike and other security researchers has been public since June and July. But while the hackers may have been caught in the act digitally, the details by themselves don't offer definitive proof of the identity of those behind the anti-Clinton hacking campaign. Public details currently don't offer clear insight into the specific intent behind these hacks, either.

What is indisputable, however, is the existence of genuine hacking evidence. And this information certainly does provide enough to give the reported intelligence community findings some context.

The evidence

The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April.

This campaign was linked to a "threat group" (designated variously as APT28, Sofacy, Strontium, Pawn Storm, and Fancy Bear) that had previously been tied to spear-phishing attacks on military, government, and non-governmental organizations.

"[SecureWorks] researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government," the report from SecureWorks concluded.

The DNC's information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn't bring in outside help until May. This is when CrowdStrike's incident response team was brought in. CrowdStrike identified two separate ongoing breaches, as detailed in a June 15, 2016 blog post by CrowdStrike CTO Dmitri Alperovitch. The findings were based both on malware samples found and a monitoring of the breach while it was in progress.

One of those attacks, based on the malware and command and control traffic, was attributed to Fancy Bear. The malware deployed by Fancy Bear was a combination of an agent disguised as a Windows driver file (named twain_64.dll) in combination with a network tunneling tool that allowed remote control connections.

The other breach, which may have been the breach hinted at by the FBI, was a long-running intrusion by a group previously identified as APT29, also known as The Dukes or Cozy Bear. Cozy Bear ran SeaDaddy (also known as SeaDuke, a backdoor developed in Python and compiled as a Windows executable) as well as a one-line Windows PowerShell command that exploited Microsoft's Windows Management Instrumentation (WMI) system. The exploit allowed attackers to persist in WMI's database and execute based on a schedule. Researchers at Fidelis who were given access to malware samples from the hack confirmed that attribution.

In addition to targeting the DNC and the Clinton campaign's Google Apps accounts, the spear-phishing messages connected to the campaign discovered by SecureWorks also went after a number of personal Gmail accounts. It was later discovered that the campaign had compromised the Gmail accounts of Clinton campaign chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House. Many of those e-mails ended up on DC Leaks. The Wikileaks posting of the Podesta e-mails include an e-mail containing the link used to deliver the malware.

After Crowdstrike and the DNC revealed the hacks and attributed them to Russian intelligence-connected groups, some of the files taken from the DNC were posted on a website by someone using the name Guccifer 2.0. While the individual claimed to be Romanian, documents in the initial dump from the DNC by Guccifer 2.0 were found to have been edited using a Russian-language version of Word and by someone using a computer named for Felix Dzerzhinsky, founder of the Soviet secret police. (The documents are linked in this article by Ars' Dan Goodin.)

Attribution and motive

There are several factors used to attribute these hacks to someone working on behalf of Russian intelligence. In the case of Fancy Bear, attribution is based on details from a number of assessments by security researchers. These include:

Focus of purpose. The methods and malware families used in these campaigns are specifically built for espionage.

The targets. A list of previous targets of Fancy Bear malware include:

Individuals in Russia and the former Soviet states who may be of intelligence interest

Current and former members of NATO states' government and military

Western defense contractors and suppliers

Journalists and authors

Fancy Bear malware was also used in the spear-phishing attack on the International Olympic Committee to gain access to the World Anti Doping Agency's systems. This allowed the group to discredit athletes after many Russian athletes were banned from this year's Summer Games.

Long-term investment. The code in malware and tools is regularly and professionally updated and maintained—while maintaining a platform approach. The investment suggests an operation funded to provide long-term data espionage and information warfare capabilities.

Language and location. Artifacts in the code indicate it was written by Russian speakers in the same time zone as Moscow and St. Petersburg, according to a FireEye report.

These don't necessarily point to Fancy Bear being directly operated by Russian intelligence. Other information operations out of Russia (including the "troll factory" operated out of St. Petersburg to spread disinformation and intimidate people) have had tenuous connections to the government.

Scott DePasquale and Michael Daly of the Atlantic Council suggested in an October Politico article that the DNC hack and other information operations surrounding the US presidential campaign may have been the work of "cyber mercenaries"—in essence, outsourcing outfits working as contractors for Russian intelligence. There is also an extremely remote possibility that all of this has been some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda.

WikiLeaks' Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails. That may well be true, and it can still be true even if the Russian government had a hand in directing or funding the operation. But that is all speculation—the only way that the full scope of Russia's involvement in the hacking campaign and other aspects of the information campaign against Clinton (and for Trump) will be known is if the Obama administration publishes conclusive evidence in a form that can be independently analyzed.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat